Contents

The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004,[4] first implemented in Firefox 4 and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation[5] and quickly with further versions (Level 2) published in 2014. As of 2015[update] draft of Level 3 is being developed with the new features being quickly adopted by the web browsers.[6]

The following header names are in use as part of experimental CSP implementations:[3]

Content-Security-Policy – standard header name proposed by the W3C document. Google Chrome supports this as of version 25.[7] Firefox supports this as of version 23,[8] released on 6 August 2013.[9]WebKit supports this as of version 528 (nightly build).[10]

A number of web application frameworks support CSP, for example AngularJS[15] (natively) and Django (middleware).[16] Instructions for Ruby on Rails have been posted by GitHub.[17] Web framework support is however only required if the CSP contents somehow depend on the web application's state—such as usage of the nonce origin. Otherwise, the CSP is rather static and can be delivered from web application tiers above the application, for example on load balancer or web server.

As of 2015[update] a number of new browser security standards are being proposed by W3C, most of them complementary to CSP:[18]

In December 2015[19] and December 2016[20], a few methods of bypassing 'nonce' whitelisting origins were published. In January 2016[21], another method was published, which leverages server-wide CSP whitelisting to exploit old and vulnerable versions of JavaScript libraries hosted at the same server (frequent case with CDN servers). In May 2017[22] one more method was published to bypass CSP using web application frameworks code.

Mapping between HTML5 and JavaScript features and Content Security Policy controls

If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative whitelist policy. One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks. In practice this means that a number of features are disabled by default:

While using CSP in a new application may be quite straightforward, especially with CSP-compatible JavaScript framework,[d] existing applications may require some refactoring—or relaxing the policy. Recommended coding practice for CSP-compatible web applications is to load code from external source files (<script src>), parse JSON instead of evaluating it and use EventTarget.addEventListener() to set event handlers.[23]

According to the original CSP (1.0) Processing Model (2012–2013),[27] CSP should not interfere with the operation of browser add-ons or extensions installed by the user. This feature of CSP would have effectively allowed any add-on, extension, or Bookmarklet to inject script into web sites, regardless of the origin of that script, and thus be exempt from CSP policies.

However, this policy has since been modified (as of CSP 1.1[28]) with the following wording. Note the use of the word "may" instead of the prior absolute "should (not)" wording:

Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.

The absolute "should" wording was being used by browser users to request/demand adherence to the policy and have changes installed in popular browsers (Firefox, Chrome, Safari) to support it. This was particularly contentious when sites like Twitter and GitHub started using strong CSP policies, which 'broke' the use of Bookmarklets.[29]

The W3C Web Application Security Working Group considers such script to be part of the Trusted Computing Base implemented by the browser; however, it has been argued to the working group by a representative of Cox Communications that this exemption is a potential security hole that could be exploited by malicious or compromised add-ons or extensions.[30][31]

^Robert Hansen (2009-06-01). "Mozilla's Content Security Policy". Archived from the original on March 18, 2015. Retrieved 2011-06-29. Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous.